how to deny .jsp execution within an upload directory
Hello, Can somebody please point me to documentaion and examples that describe how to disallow the execution of .jsp or any other scripts/binaries within a single directory of a webapplication? Part of the web app, is being allowed to upload reports which can then be read and downloaded by another. At this time I can upload a .jsp file and it will run in that directory. I have found much stuff on SecurityManager and syntax within the catalina.policy file but nothing yet that really explains to me what I need to do to accomplish what I described above. My attempts so far at proper catalina.policy systax have not worked. This is a pure tomcat environment running Tomcat 4.1.30 at this time. Other comments regarding the proper use of an upload directory and it's security are welcome. Thank you. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to deny .jsp execution within an upload directory
I do this by not allowing the upload tool to write files with .jsp or .jspx extensions in the first place. I also disallow .. in any part of the filename. You could also write a filter that scans any requests going to that directory and checks for those extensions. On Fri, 2004-10-29 at 18:05, Chris Lawder wrote: Hello, Can somebody please point me to documentaion and examples that describe how to disallow the execution of .jsp or any other scripts/binaries within a single directory of a webapplication? Part of the web app, is being allowed to upload reports which can then be read and downloaded by another. At this time I can upload a .jsp file and it will run in that directory. I have found much stuff on SecurityManager and syntax within the catalina.policy file but nothing yet that really explains to me what I need to do to accomplish what I described above. My attempts so far at proper catalina.policy systax have not worked. This is a pure tomcat environment running Tomcat 4.1.30 at this time. Other comments regarding the proper use of an upload directory and it's security are welcome. Thank you. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to deny .jsp execution within an upload directory
The easiest way to do this would be to create a filter on that directory. The filter would either deny access - of it would get the default servlet via the ServletContext.getNamedDispatcher() and then perform a forwards(). -Tim Chris Lawder wrote: Hello, Can somebody please point me to documentaion and examples that describe how to disallow the execution of .jsp or any other scripts/binaries within a single directory of a webapplication? Part of the web app, is being allowed to upload reports which can then be read and downloaded by another. At this time I can upload a .jsp file and it will run in that directory. I have found much stuff on SecurityManager and syntax within the catalina.policy file but nothing yet that really explains to me what I need to do to accomplish what I described above. My attempts so far at proper catalina.policy systax have not worked. This is a pure tomcat environment running Tomcat 4.1.30 at this time. Other comments regarding the proper use of an upload directory and it's security are welcome. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to deny .jsp execution within an upload directory
For robust installations, this problem is a non-issue due to JSP precompilation. Everyone's situation is different, of course, but it is generally much more secure to precompile your JSPs and disable the dynamic compilation of new ones. justin At 03:25 PM 10/29/2004, you wrote: The easiest way to do this would be to create a filter on that directory. The filter would either deny access - of it would get the default servlet via the ServletContext.getNamedDispatcher() and then perform a forwards(). -Tim Chris Lawder wrote: Hello, Can somebody please point me to documentaion and examples that describe how to disallow the execution of .jsp or any other scripts/binaries within a single directory of a webapplication? Part of the web app, is being allowed to upload reports which can then be read and downloaded by another. At this time I can upload a .jsp file and it will run in that directory. I have found much stuff on SecurityManager and syntax within the catalina.policy file but nothing yet that really explains to me what I need to do to accomplish what I described above. My attempts so far at proper catalina.policy systax have not worked. This is a pure tomcat environment running Tomcat 4.1.30 at this time. Other comments regarding the proper use of an upload directory and it's security are welcome. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Justin Ruthenbeck Lead Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential. See: http://www.nextengine.com/confidentiality.php __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]